LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-25-2007, 06:03 AM   #1
zQUEz
Member
 
Registered: Jun 2007
Distribution: Fedora, RHEL, Centos
Posts: 294

Rep: Reputation: 54
chattr +i disallows sudo


Not sure if this is by design or something I am doing wrong. I have RHEL4 servers with some located in a DMZ. While changing the SSH config to disallow root logins, I have come across an issue, where if I ssh into any of the DMZ servers (as my user account), and try and either "su - root" or "sudo {command}" I get an error. (e.g. "Sorry, sudo must be setuid root." or the password is invalid for root.).
/etc/sudoers is setup correctly as it does work for non DMZ servers.
The root password is correct as I can login directly as root (without ssh locked down).

I have narrowed it down to the fact that our DMZ servers have "chattr +i /etc/passwd /etc/group /etc/shadow" and if I remove this (chattr -i ...) then sudo and su - root works.

Perhaps I don't understand what immutable means exactly, because I thought it meant these files can't be changed and I don't see how sudo or su is changing these files. Does anyone else have this issue? Is this by design? How do other people get around this? It seems like a standard thing to disallow root ssh logins.

thanks
 
Old 10-25-2007, 07:20 AM   #2
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 682Reputation: 682Reputation: 682Reputation: 682Reputation: 682Reputation: 682
I tried setting the "i" bit on the same files and was able to use su and sudo. Did you take the error message at it's word and check if the sudo program is suid root?
 
Old 10-25-2007, 11:57 PM   #3
hackintosh
Member
 
Registered: Dec 2005
Posts: 52

Rep: Reputation: 15
Quote:
Originally Posted by zQUEz View Post
Not sure if this is by design or something I am doing wrong. I have RHEL4 servers with some located in a DMZ. While changing the SSH config to disallow root logins, I have come across an issue, where if I ssh into any of the DMZ servers (as my user account), and try and either "su - root" or "sudo {command}" I get an error. (e.g. "Sorry, sudo must be setuid root." or the password is invalid for root.).
/etc/sudoers is setup correctly as it does work for non DMZ servers.
The root password is correct as I can login directly as root (without ssh locked down).

I have narrowed it down to the fact that our DMZ servers have "chattr +i /etc/passwd /etc/group /etc/shadow" and if I remove this (chattr -i ...) then sudo and su - root works.

Perhaps I don't understand what immutable means exactly, because I thought it meant these files can't be changed and I don't see how sudo or su is changing these files. Does anyone else have this issue? Is this by design? How do other people get around this? It seems like a standard thing to disallow root ssh logins.

thanks
i = immutable..
brother, please remove it
chattr -i /etc/sudoers
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: The Ultimate Sudo FAQ — To Sudo Or Not To Sudo? LXer Syndicated Linux News 13 04-13-2013 01:36 AM
chattr not working JJX Linux - Newbie 3 10-18-2005 03:39 AM
chattr + 2.4.20-lq2? tarballedtux Linux - Security 3 01-06-2003 08:30 AM
Problem with chattr FredrikN Linux - General 1 12-29-2002 11:48 AM
need help with chattr ruprick Linux - Newbie 4 02-19-2002 10:39 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:57 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration